Upload File

owasp a1 - injection | the art of manipulation

14
OWASP A1 – Injection The art of manipulation pavanw3b

Upload: pavan-m

Post on 12-Apr-2017

124 views

Category:

Technology


4 download

Report

TRANSCRIPT

Page 1: OWASP A1 - Injection | The art of manipulation

OWASP

A1 – InjectionThe art of manipulation

pavanw3b

Page 2: OWASP A1 - Injection | The art of manipulation

$ whoami• Pavan aka pavanw3b• Security Engineer at• Null Hyd Core• Love hunting bugs• Got lucky with

• www.pavanw3b.com

Page 3: OWASP A1 - Injection | The art of manipulation

Injections – the worst ever!• Mar’08 – Heartland Payment System - 134m CC exposed • Oct’13 – $ 100,000 stolen from a California ISP• 2007 -2012: A group of hackers stole $300m from 10+

companies• 2014 – Shellshock: Remote Code Execution• 2015 – Microsoft RDP Remote Code Executionand many many other..

Page 4: OWASP A1 - Injection | The art of manipulation

Good vs Bad• Corporate Pentester

Give one week time and ask to find all the vulnerabilities.

• Attacker

Give sufficient time to find any one vulnerability to get in.

Page 5: OWASP A1 - Injection | The art of manipulation

When data become commands

Vayu, you are free to go!

Applicant Name :

Criminal Registration Form

Calling Vayu, you are free to go!

data =commands

Page 6: OWASP A1 - Injection | The art of manipulation

The dumb serverWhat file do you want to delete?

my_message.txt; echo ‘<?php system($_GET[“cmd”]); ?>’ > shell.php?file_name=

Page 7: OWASP A1 - Injection | The art of manipulation

Types of Injection1. Command Injection2. Database Injection

o SQLoNoSQL

3. LDAP4. XML Injection

Page 8: OWASP A1 - Injection | The art of manipulation

1. Remote Code Execution• User controlled data go into part of system commands.• Post Exploitation: Privilege Escalation.• Backdoor.

Page 9: OWASP A1 - Injection | The art of manipulation

2.1 SQL Injection• Perform (any) unauthorized database transaction.• Dump, drop, alter & many more.• Backdoor.

Page 10: OWASP A1 - Injection | The art of manipulation

2.2 NoSQL - No Injection?

Page 11: OWASP A1 - Injection | The art of manipulation

3. LDAP Injection

Try ( | & * and other special chars to see errors

Page 12: OWASP A1 - Injection | The art of manipulation

4. XML Injection• Attribute, Value, CDATA• XXE, XSLT, XPath

<catalog> <book id=“101”> <author>Pavan</author> <title>Dark w3b</title> <price>INR 200</price> </book></catalog>

102”><author>vayu</author><title>A treat</title><price>FREE</price></book><book id=“

<catalog> <book id=“102”> <author>vayu</author> <title>A treat</title> <price>FREE</price> </book> <book id=“101”> <author>Pavan</author> <title>Dark w3b</title> <price>INR 200</price> </book></catalog>

Payload

Result

Page 13: OWASP A1 - Injection | The art of manipulation

Some Credits• https://www.owasp.org• http://www.slideshare.net/m1ke/owasp-a1-injection• Rahul Sasi:

http://www.slideshare.net/_c0c0n_/webapp-remote-code-execution-via-scripting-engines

• Amol Naik: http://www.slideshare.net/AMolNAik3/xml-xpath-injections

• The Hacker News• CIO

Page 14: OWASP A1 - Injection | The art of manipulation

Questions?

Will be answeredin the humla session

Thanks/pavanw3b


See the OWASP Code Review Guide Article on How to Review Code for SQL Injection Vulnerabilities

SQL INJECTION DEEP DIVE - OWASP Foundation...Determinar el Tipo de SQL Injection •Identificar la Inyección •Identificar el tipo de Inyección: •STRING •NUMERICO •Tipo de

Web Security - OWASP - SQL injection & Cross Site Scripting XSS

The OWASP Foundation Injection Flaws

Improving XPath Injection - OWASP · Improving XPath Injection ... Same impact as SQL injection Yet less awareness

OWASP Top 10: Effectiveness of Web Application Firewalls · 2016. 5. 22. · WAFs vs the OWASP Top 10 A1 - Injection Attacks A2 - Broken Authentication Session Management A3 - Cross-Site

OWASP Top Ten 2013 - ossir.org · OSSIR - OWASP Top Ten 2013 par Intrinsec sous licence CC-BY-NC-ND OWASP Top 10 –2010 (Précédent) OWASP Top 10 –2013 (Nouveau) 2010-A1 –Injection

OWASP Top 10 - 2017 · OWASP Top 10 - 2013 OWASP Top 10 - 2017)Injection( ינודז דוק תקרזה–A1 )Injection( ינודז דוק תקרזה–A1:2017 החיש לוהינןונגנמו

CS 161: Computer Security · OWASP Top 10 – 2010 (Previous) OWASP Top 10 – 2013 (New) A1 – Injection A1 – Injection A3 – Broken Authentication and Session Management A2

Improving XPath Injection - OWASP · .NET 2.0: XPathExpression.Compile, XPathExpression.SetContext OWASP ESAPI Java: encodeForXPath, EncodeForXPathTag Avoid using XPath 2.0 if possible,

The SPaCIoS Tool - OWASP Foundation · OWASP Top 10 The SPaCIoS Tool A1 Injection WebGoat lesson: String SQL Injection WebGoat lesson: Numeric SQL Injection SIEMENS InfoBase and eHealth

OWASP TOP 10 + Java EE · •SQL, OS Shell, LDAP, XPath, Hibernate, etc ... Exercícios: Command Injection Numeric SQL Injection LAB SQL Injection Stage 1 Stage 3 18

Laufzeitanalyse & Manipulation von Apple iOS Apps · 2020-01-17 · Dynamic Library Injection Nachladen einer Bibliothek [2] über die ... # cycript -p ... OWASP Web Application

Cross Domain Injection and Exploits · Ajax/RIA call OWASP 20 Ajax/RIA call Demo. 11 OWASP 21 Discovery JSON XML JS-Script JS-Array JS-Object Demo OWASP 22 RIA fingerprints Demo Demo

owasp Top 10 2007 For Print - Um€¦ · A2 – Injection Flaws Injection flaws, particularly SQL injection, are common in web applications. Injection occurs when user-supplied data

Falhas de Injeção 3.1.1 – SQL Injection - projetos.inf.ufsc.br Em... · 3.1 – Falhas de Injeção 3.1.1 – SQL Injection O que é SQL Injection Segundo a definição da OWASP

Web Security: Session management and CSRFcs161/sp18/slides/4.5... · 2018-04-07 · OWASP Top 10 – 2010 (Previous) OWASP Top 10 ––2013 (New) A1 – Injection A1 – Injection

OWASPTop10-2010 McRee generic · OWASP Top Ten Web Application Security Risks • A1: Injection: – Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data

OWASP Top 10 – 2010...OWASP Top 10 – 2007 (Previous) OWASP Top 10 – 2010 (New) A2 – Injection Flaws A1 – Injection ... • May also allow full database schema, or account

OWASP Top 10 Schulung › ... › 2018 › OWASP_Top_10_Homepage.pdfEntwicklung der OWASP Top 10 OWASP Top Ten - 2010 OWASP Top Ten - 2013 OWASP Top Ten –2017 A1 –Injection Flaws

OWASP XPath injection

SQL injection: Not only AND 1=1Front Range OWASP Conference, Denver (USA) March 5, 2009 2 Introduction From the OWASP Testing Guide : “SQL injection attacks are a type of injection

HISOLUTIONS SCHWACHSTELLEN-REPORT 2020€¦ · 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Injection (OWASP A1) Broken Authentication (OWASP A2) Sensitive Data Exposure (OWASP A3)

OWASP Top 10 - conf.ellak.gr · OWASP A1. Injection APPLICATION ATTACK HTTP request SQL query HTTP DB Table response "SELECT * FROM accounts WHERE acct=‘’ OR 1=1--’" 1. Application

SQL injection: Not only AND 1=1 - OWASP Range OWASP Conference, Denver (USA) March 5, 2009 3 How does it work? Detection of a possible SQL injection flaw Back-end database management

Security Testing & The Depth Behind OWASP Top 10tjscissp.€¦ · OWASP Top 10 2013 OWASP Top 10 –2013 has evolved: •2013-A1 –Injection •2013-A2 –Broken Authentication and

Unicode Smuggling or SQL Smuggling - OWASP · PDF fileAgenda SQL Injection Revisited Classic Smuggling Introducing SQL Smuggling Common SQL Smuggling Unicode Smuggling OWASP 3 Applicability

OWASP (Membership) and new OWASP Projects · OWASP 7 OWASP

OWASP Top 10 Proactive Controls Project · 2016. 3. 3. · stop various forms of injection including command injection (Unix command encoding, Windows command encoding), LDAP injection

Secure Facebook Applications - OWASP · a.k.a. HTML Injection, Web Content Injection Code injection targeting the client side Essentially, XSS lets an attacker modify the source code

Web 2.0 Testing - OWASP · XML poisoning injection Flash Parameter Injection ... Web services routing ... •Perform an effective manual testing rather than running automated tools

Application Security Testing Procedure - T&VS...OWASP Top 10 - 2010 (Previous) OWASP Top 10 - 2013 (New) A1 - Injection A1 - Injection ... ) A2 - Cross-Site Scripting (XSS) A4 - Insecure

OWASP Top 10 – 2010...OWASP - 2010 A1 – Avoiding Injection Flaws Recommendations 1. Avoid the interpreter entirely, or 2. Use an interface that supports bind variables (e.g., prepared

OWASP Top 10 - KTH · OWASP – TOP 10 • OWASP Top 10 Web Application Security Risks for 2010 are: • A1: Injection • A2: Cross-Site Scripting (XSS) • A3: Broken Authentication

OWASP Top 10 2007 - cat slave diary – mostly useless ... · 8& A2!INJECTION!FLAWS! Injections,particularlySQLinjections,arecommoninwebapplications.Injectionsarepossibleduetointerminglingofuser